Judge blasts Georgia officials' handling of election system

ATLANTA — Georgia election officials have for years ignored, downplayed and failed to address serious problems with the state's election management system and voting machines, a federal judge said in a scathing order this week.

U.S. District Judge Amy Totenberg said those problems place a burden on citizens' rights to cast a vote and have it reliably counted. She called Georgia's voting system "antiquated, seriously flawed, and vulnerable to failure, breach, contamination, and attack."

Despite those findings, Totenberg ruled Thursday that Georgia voters will use that same election system this fall because of concerns about the state's capacity to make an interim switch while also implementing a new system .

Plaintiffs in a lawsuit challenging Georgia's system had asked Totenberg to order an immediate switch to hand-marked paper ballots for special and municipal elections this fall. But she declined, citing worries about the state's capacity to manage an interim switch while also implementing a new system that is supposed to be in place for the March 24 presidential primaries.

"(T)he totality of evidence in this case reveals that the Secretary of State's efforts in monitoring the security of its voting systems have been lax at best — a clear indication that Georgia's computerized election system is vulnerable in actual use," Totenberg wrote in a 153-page ruling that devotes considerable space to chronicling those shortcomings.

Here are some of the concerns Totenberg identified:

LACKLUSTER RESPONSE TO A SECURITY LAPSE

Security experts in 2017 disclosed a gaping hole exposing personal data for 6.7 million Georgia voters, as well as passwords used by county officials to access election-staging files. That lapse at the Center for Election Systems at Kennesaw State University, which managed the system for the secretary of state, still wasn't fixed six months after it was first reported to election authorities.

The relevant servers were wiped soon after the lawsuit was filed. Totenberg said officials' assertions that the servers "were simply 'repurposed ' and not intentionally destroyed or wiped is flatly not credible."

Election officials have refused to "fully acknowledge or remedy these circumstances and their broader ramifications for the voting system's security and reliability," Totenberg wrote. She also said election officials had shown "inconsistent candor" with her about this and other voting system security issues.

The Center for Elections Systems eventually became part of the secretary of state's office. Michael Barnes, who directed it at Kennesaw State remains in that role. But Barnes "could recall little or what expressly was done" after they received notification of the breach, Totenberg wrote.

PROBLEMATIC FROM THE START

Totenberg cited a brief filed by the Electronic Privacy Information Center that says "almost from their inception" the paperless electronic voting machines Georgia has used since 2002 "have been plagued by warnings that the voting machines are unreliable, insecure, unverifiable."

"(W)hile Georgia election officials have effectively taken no steps to address these deficiencies with its DRE-based system — a litany of other states have abandoned the plagued machines in exchange for a more secure and reliable alternative voting method," Totenberg wrote.

BALLOT BUILDING SECURITY

Barnes testified last month that the state's election management system, which is used to build ballots, is housed on private computers not connected to the internet, saying the system is "air gapped." He also testified that he uses a "lockable" USB drive to transfer files between those computers and internet-connected computers.

Relying on testimony from cybersecurity experts, Totenberg wrote that using a USB drive in that way exposes the data to malware and leaves the entire election system vulnerable to contamination.

The state has a contract with election equipment company Election Systems & Software, which employs three people to design and configure Georgia's databases. They built all the ballots for last November's elections, Barnes testified.

They work from home on computers disconnected from the internet, Barnes testified. But Totenberg noted that Barnes couldn't say what physical security measures they have at their homes and that their computers are "outside the secure facilities that the Secretary of State maintains for ballot building."

RISK ASSESSMENTS AND RESPONSE

Fortalice Solutions, a cybersecurity firm hired by the secretary of state's office to do risk assessments, identified 22 security risks in the networks it examined for an October 2017 report. In a subsequent Nov. 30, 2018, report Fortalice found that just three of those risks had been fixed and another three were in the process of being fixed.

Totenberg wrote that the record includes "scant" evidence of what "targeted remedial measures" state officials took following the November 2018 report.

Totenberg also wrote that the state never asked Fortalice or another expert "to conduct an actual cybersecurity review and analysis" of its election-related systems and databases.

VOTER TROUBLES

Totenberg cited a "mountain of voter testimony showing that these vulnerabilities have a tangible impact" on voters' attempts to cast a ballot and have their vote counted.

The plaintiffs provided statements from 137 Georgia voters, two county poll workers and 15 poll watchers about problems during the November 2018 midterm election. Those included: self-casting ballots, malfunctioning voting machines, voter selections flipping to another candidate, and electronic pollbooks showing incorrect polling places or addresses for voters.

STATE RESPONSE

In an email to The Associated Press, Tess Hammock, spokeswoman for Secretary of State Brad Raffensperger, said, "These conclusions are silly and unfounded. At the end of the day no judge should be susceptible to political Rhetoric."

In a subsequent email she added that the secretary of state's office looks forward to implementing the new system.

Much of what Totenberg mentioned took place while now-Gov. Brian Kemp was secretary of state. Kemp spokeswoman Candice Broce didn't respond to emails seeking comment.

Lawyers for the state have argued that implementing a new election system resolves the problems of the old system.

State election officials testified that steps were taken to ensure the election management system's safety when it was transferred from Kennesaw State, and that they had acted to remedy vulnerabilities identified in risk assessments.

During a hearing last month, under questioning by a plaintiffs' attorney, Barnes said, "I feel confident in Georgia's voting system, yes."